#VU78880 Information disclosure in Liferay Enterprise Portal and Liferay DXP - CVE-2023-3426


Vulnerability identifier: #VU78880

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-3426

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Liferay Enterprise Portal
Web applications / CMS
Liferay DXP
Web applications / CMS

Vendor: Liferay

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the organization selector does not check user permission. A remote user can obtain a list of all organizations.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Liferay Enterprise Portal: 7.4.3.81 ga81 - 7.4.3.85 ga85

Liferay DXP: 7.4 update 81 - 7.4 update 85

External links
https://liferay.dev:443/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Information disclosure in Liferay Portal and Liferay DXP